2015-05-20

- A to Z Security Consulting from LG CNS (3) -

In March, a survey about ‘Areas Most Concerned for Personal Data Breaches in 2015’ was conducted by the security related online news in Korea, Boan News. The top two were finance and health care sectors. It seems like the finance sector is toughening their security measures in response to multiple credit card data breaches last year. Security measures in the health care sector, however, are getting relatively less attention even though medical data is much more important and sensitive compared to financial information.



Survey on the areas that most concerned for personal data breaches (Source: Boan News News March, 2015)

Today, let’s take a look at some cases of medical data breaches and personal medical information flow as well as possible threats and the countermeasures being planned.

How Has Medical Data Become a Target?

The issue of personal data breaches has been around for some time. Why are we seeing more medical breach cases lately, then? It’s probably because medical data can bring profit to both hackers as well as inside informants.

First, personal medical information can be used for insurance products and locating where one has received medical treatment. It can also be processed into various forms such as prescription market trends, sales trend analysis, and major disease trends, as pharmaceutical companies can use this data when establishing their sales strategies and ideas for new medicine. For this reason, personal medical information is considered valuable information that pharmaceutical companies are willing to spend vast sums on.

A credit card number being bought and sold among hackers on the black market is usually priced between $5 and$20, but the price of personal medical information can be up to ten times this amount. For this reason medical information is expected to continue being a major target of hacking and data breaches for money. Many breaches of medical data were also revealed to be committed for money.



The flow and purpose of medical data breaches

As expensive as it is to buy personal medical information, the cost of its breaches is much more substantial compared to other data breaches. According to the Value of Personal Data and the Social Cost of Personal Data Breaches, written in 2013 by the Online Privacy Association, the kind of data breaches that cost the most to respond to are in the health care sector.



Sector-specific Personnel and IR expenses for response and corporate losses per breach (Source:the Value of Personal Data and the Social Cost of Personal Data Breaches, Online Privacy Association, 2013)

Therefore, it’s important to be properly prepared for any possible threats and abide by related legal security requirements such as the Personal Information Protection Act in order to minimize any damages resulting from such breaches.

Necessary Countermeasures against Medical Data Breaches

Percentage chart of personal information breaches (Source: ITRC, 2014)

According to research from an American NGO, ITRC (Identity Theft Resource Center), the healthcare sector has the largest proportion of personal information breaches. The situation in Korea is quite similar to this. The healthcare sector, which is relatively vulnerable compared to the finance sector, is expected to become a major target of personal data breaches.

In Korea, computerization of the healthcare sector has been progressing rapidly since National Health Insurance was extended to the whole nation in 1989. As a result, patients’ medical records, which used to be handwritten, and X-ray films were transferred into data to be shared through internal and external networks for easier insurance claims and management.

As sharing data has become easier, so has leaking it. Also, the number of data breaches continue to grow. Unlike in the last decade when it was mostly about illegal searches on politicians and celebrities’ medical information, the scale of medical data breaches is now much bigger taking the form of direct breaches of data on hundreds of millions of medical treatments. This is because more people are breaching the data on purpose for profit, as mentioned earlier.

Medical data breach cases

The number of annual insurance assessments at the National Health Insurance Corporation in Korea is about 1.4 billion. Having 500 million medical records being breached should be considered even more serious than credit card data breach cases.

Let’s take a look at the case we saw in Korean newspaper earlier this year, where the CEO of a medical data software company was arrested. A company that developed insurance claim software and provided a cloud service leaked 500,000,000 claim records from its system and sold it to an international medical data consulting company. The bigger problem here is that the hospitals that collected and saved the medical data didn’t even notice the leak when it happened.

Medical data breach through a software maintenance company

There are about a hundred companies that provide development and services for health insurance claim software. Hacking of any of these companies with vulnerable security controls and an internal staff member leaking the data can cause serious medical data breaches.

Besides, the diverse medical services the government is promoting such as remote medical treatments, medical big data application, and IoT based smart health services may increase the probability of medical data breaches.

In order to prevent such breaches, examining the security and reliability of the provider when adopting medical data software is required.

Personal Information Flow in the HealthCare Sector and Countermeasures

Medical institutions collect and save personal data on their systems both online and offline such as on their websites, EMR (Electronic Medical Recording), OCS (Order Communication), and PACS (Picture Archiving and Communication System), then use it at multiple departments in the hospital. This medical data is then transmitted to multiple related institutions such as the Ministry of Health and Welfare, Korea Centers for Disease Control and Prevention, the Health Insurance Corporation, Health Insurance Review & Assessment Service, the prosecutor’s office, and the police.

As we see, there are diverse ways to violate the protocols for secure medical data processing stipulated by the Personal Information Protection Act and the Medical Service Act, as there are multiple ways to collect this data and externally provide it. In order to effectively respond to these privacy-related violations, we have to analyze the general flow of the medical data and implement thorough measures for prevention by researching possible threats beforehand.

Medical data flow in hospitals and possible threats to personal data (Source: LG CNS)

To sum up the general breaches and flow of medical data, countermeasures to prevent possible medical data breaches can be listed as followed.

What should Be Done to Protect Personal Medical Information?

As we learned earlier, medical data is exposed to various threats such as multiple legal issues and internal/external breaches. Establishing fragmented security solutions and countermeasures cannot effectively respond to all the possible threats.

Personal data protection framework (Source: LG CNS)

In order to establish a safe ground for medical data, an efficient medical data protection framework which accounts for diverse aspects such as medical data life-cycles, technical/physical protection measures, medical data management systems, and responding to legal issues is necessary.

The health care sector also needs to adopt Korea Internet and Security Agency’s ISMS (Information Security Management System), a verification to test suitability of a company’s data protection system, and enhance the level of objective verification and reliability of medical institutes’ data security systems.

10 Ways to Prevent Personal Information Abuse (Source: Privacy Information Protection Portal)

10 Ways to Prevent Personal Information Abuse may be helpful to readers who frequent medical institutions. It’s important to learn in specific about how well your information is secured at the institution, and ask for changes if there are any unsatisfying policies. Only by doing this, will these places pay more attention to protecting medical data and work on protecting personal information.

Active participation and interest is the best way to keep our personal information safe.

I hope you enjoyed this article on personal information breaches in the health care sector and their countermeasures. In the next article, we will introduce the limits of analytics on security threats and how to improve them.

Written by Ki Jun Kim, Security Advisory, LG CNS Security Consulting Team

Show more